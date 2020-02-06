[Embed] https://www.youtube.com/watch?v=ZrkZUO2g4DE [/ embed]

Academics from Israel have detailed and demobilized a new method for stealing data from computers with air gap.

The method is based on making small adjustments to the brightness settings of an LCD screen. The tweaks are not perceptible to the human eye, but can be detected and extracted from video feeds using algorithmic methods.

This article describes this innovative new method of stealing data, but readers should know from the start that this attack is not something that regular users should worry about and it is highly unlikely that they will ever encounter it.

The attack is called BRIGHTNESS and is designed for airborne setups – where computers are kept on a separate network without internet access.

Air-hacked computers are often found in government systems that store top-secret documents or corporate networks dedicated to storing non-public property information.

Creative hackers can find a way to infect these systems – such as using an infected USB stick connected to these systems – but it is harder to retrieve data from networks with air gap.

This is where a team of academics at Ben-Gurion University of the Negev in Israel have specialized. In recent years they have studied ways to extract data from already infected systems with air gap.

Past academic research in the field includes data exfiltration techniques such as:

LED-it-Go – filter out data from systems with air gap via the activity LED of an HDD

USBee – force the data bus from a USB connector to generate electromagnetic emissions that can be used to filter data

AirHopper – use the local GPU card to send electromagnetic signals to a nearby mobile phone, also used to steal data

Fansmitter – steal data from PCs with air gap using sounds from the GPU fan of a computer

DiskFiltration – use controlled read / write HDD operations to steal data via sound waves

BitWhisper – filter out data from non-network computers using heat emission

Unnamed Attack – uses flatbed scanners to forward commands to malware-infected PCs or to filter out data from infected systems

xLED – use the router or switch LEDs to filter out data

aIR-Jumper – use the infrared capabilities of a security camera to steal data from air gap networks

HVACKer – use HVAC systems to control malware on vented systems

MAGNETO & ODINI – steal data from Faraday cage protected systems

MOSQUITO – steal data from PCs using connected speakers and headphones

PowerHammer – steal data from air gap systems with power lines

CTRL-ALT-LED – steal data from air gap systems with keyboard LEDs

How the “BRIGHTNESS” attack works

The new BRIGHTNESS attack is similar to all methods described above. The steps are described below:

Infection with air vents. Malware that runs on the infected computer collects the data it wants to steal. Malware changes the color settings of a screen to change the brightness level. The brightness level is adjusted up / down to transmit a 0/1 binary pattern that transmits a file one by one. A nearby attack registers the screen of the infected computer. The video is analyzed and the file is reconstructed by analyzing the variations in screen brightness.

The investigation team said it tested the BRIGHTNESS attack in various configurations. Researchers say they had the best results by changing the red color pixels by about 3% of their normal settings.

Image: Ben-Gurion University of the Negev, Israel

This small change is invisible to the human eye due to the high refresh rates on modern LCD screens, but can be picked up by modern, high-resolution video cameras that often come with webcams, smartphones, laptops, or surveillance camera equipment.

BRIGHTNESS attack is really slow

However, sending data in this way is extremely slow. Researchers reported maximum speeds of 5-10 bits / second, which is an incredibly low transmission speed – one of the lowest of all air-gap exfiltration attacks mentioned earlier in this article.

Image: Ben-Gurion University of the Negev, Israel

This speed means that the attack can be useful for stealing a small encryption key, but do not hold your breath to filter out a 1 GB ZIP archive without the risk of being detected.

The research team says the easiest way to reduce BRIGHTNESS attacks is to apply polarized film to computer screens.

“The user gets a clear picture, while people and cameras would see a dark screen remotely,” they said.

More about this technique is available in a research article titled “BRIGHTNESS: leaking sensitive data from Air-Gapped Workstations via screen brightness.”